Manage Your Risk, Not Somebody Else's

Download Manage Your Risk, Not Somebody Else's

Post on 16-Jan-2015



Economy & Finance

1 download

Embed Size (px)


More than 99 percent of U.S. employer firms are in the small and midsize (SMB) space, and theyre getting crushed by countless regulations and standards. There must be a better way to manage the seemingly endless train of auditors and fire drills. Even more importantly, do any of these regulations reduce business risk and help improve business resilience? Just whose risk is really being managed? This presentation will discuss cost effective steps to regain control while simultaneously meeting regulatory obligations and achieving a legally defensible risk posture that helps ensure business survivability.


<ul><li> 1. Manage Your Risk, Not Somebody Elses Ben Tomhave, MS, CISSP @falconsview </li></ul> <p> 2. Society of Information Risk Analysts SciTech Information Security Committee 3. Image: 4. The Problem Space All these regulations and standards PCI: Arbitrary &amp; Capricious? HIPAA: Confusing &amp; Misunderstood? NERC CIPs Limited resources Being reactive hows that working out? 5. Image: 6. Define Your Profile How does your business operate? What is most important to survival? 3 key attributes: 1. Business processes 2. Assets 3. Prioritization (via risk analysis) 7. Image: 8. Get Organized Collaborate across the business Formalize methods and policies Identify strategic tools Improve communication Optimize quality Improve overall performance 9. Image: 10. Practical Application #1 1. Right Size your obligations (outsource!) 2. Optimize the proactive to reduce the reactive 3. Reduce complexity (KISS principle) Taming the Compliance Beast 11. Image: 12. Practical Application #2 Appropriate LOE and resources? Set a defensible definition of good enough Insource vs. Outsource When to own it? When to transfer it out? What about insurance / self-insurance? If you cant win, then change the rules. Resilience, anti-fragile, survivability, rugged, etc. The goal is not to stop all bad things from happening! Scaling Risk Management Practices 13. Image: 14. Practical Application #3 DevOps, RM, and the 3 Ways Images: 1. Context 2. Assessment3. Treatment 4. Monitor &amp; Review Communication 15. The Three Ways The First Way: Systems Thinking The Second Way: Amplifying Feedback Loops The Third Way: Culture of Continual Experimentation &amp; Learning Holistic, No Silos, Understand Value Streams Communication, Rapid Response, Embed Knowledge Innovate, Fail Fast / Learn Fast, Freedom &amp; Responsibility Image: 16. Image: 17. To Recap Understand the problem space Define your risk profile Get organized Practical application 1. Tame the compliance beast 2. Scale risk management practices 3. The DevOps revolution 18. Ben Tomhave, MS, CISSP @falconsview </p>